Crypto expert Karsten Nohl released a tool that people can use to test whether their mobile phones can be snooped on and hopes the move will spur telecom providers to patch their GSM networks.
(Credit: Seth Rosenblatt/CNET)
LAS VEGAS — A researcher released software at the Black Hat conference on Thursday designed to let people test whether their calls on mobile phones can be eavesdropped on.
The public availability of the software – dubbed Airprobe — means that anyone with the right hardware can snoop on other peoples’ calls unless the target telecom provider has deployed a patch that was standardized about two years ago by the GSMA, the trade association representing GSM (Global System for Mobile Communications) providers, including AT&T and T-Mobile in the U.S.
Most telecom providers have not patched their systems, said cryptography expert Karsten Nohl.
“This talk will be a reminder to this industry to please implement these security measures because now customers can test whether they’ve patched the system or not,” he told CNET in an interview shortly before his presentation. “Now you can listen in on a strangers’ phone calls with very little effort.”
An earlier incarnation of Airprobe was incomplete so Nohl and others worked to make it usable, he said.
Airprobe offers the ability to record and decode GSM calls. When combined with a set of cryptographic tools called Kraken, which were released last week, “even encrypted calls and text messages can be decoded,” he said.
To test phones for interception capability you need: the Airprobe software and a computer; a programmable radio for the computer, which costs about $1,000; access to cryptographic rainbow tables that provide the codes for cracking GSM crypto (another Nohl project); and the Kraken tool for cracking the A5/1 crypto used in GSM, Nohl said.
More information about the tool and the privacy issues is on the Security Research Labs Web site. Nohl had demonstrated the capabilities of the technique in December and talked to CNET about its implications in January.
whois: firstname.lastname@example.org BE PREPARED